Comments on: CyberSpeak interview

By: Didier Stevens

Didier Stevens — Tue, 24 Jul 2007 18:14:49 +0000

That is right, shifting a counter is a programmers hack, but using ROT13? You’re clearly sending a message when you do this, but what kind of message?

By: www.andrewhay.ca » Suggested Blog Reading - Monday July 23rd, 2007

www.andrewhay.ca » Suggested Blog Reading - Monday July 23rd, 2007 — Tue, 24 Jul 2007 11:52:02 +0000

[...] CyberSpeak interview – Check out Didier’s interview. My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m Flemish! [...]

By: keydet89

keydet89 — Tue, 24 Jul 2007 11:00:43 +0000

The fact that the count field starts at 5 is strange, yes…but the whole issue about ROT-13 ‘encryption’ is even stranger! Why, of all keys, would those particular keys have values that are ROT-13 encrypted?

I have my own tools that get this information from NTUSER.DAT files extracted from forensic images. I use these tools on a regular basis, and have even had cases recently were these tools were the starting point of my investigation. A very interesting capability that I have added to the tools is the ability to sort the entries by their timestamp value, going from most recent and walking backward through time. This functionality has been extremely helpful, particularly in intrusion or UAP violation cases, where the “when” of an activity is as important as the “what”.

By: Didier Stevens

Didier Stevens — Mon, 23 Jul 2007 19:19:24 +0000

Yes, starting to count from 5 is strange. When programmers work with a counter and they need some special values that have another meaning than the actual numerical value, in “the olden days”, they would use something like 99. So they would attribute special meaning to the maximum values, not to the minimum values.

This technique caused some interesting bugs in 1999 and 2000

By: Dave

Dave — Mon, 23 Jul 2007 19:08:26 +0000

I was intrigued to hear the process by which you have managed to identify what the elements of data in UserAssist mean (I realise there are more to clarify). I guess it requires a painstaking logical approach to understand exactly what happens, for instance, if a program is removed from the Start Menu. I’ve seen the Gates = 5 comment before and would really like to know the reason behind the count starting at 5 rather than 0. I suspect that we’ll never know the real reason.

Thanks for your explanation and hard work.

By: Didier Stevens

Didier Stevens — Mon, 23 Jul 2007 18:10:02 +0000

Thanks Harlan!

I’ve also been pondering the malicious and mischievous possibilities of the UserAssist keys, but I don’t know about any malware exploiting these keys. I’ve searched for UserAssist in a couple of virus description databases, but without success.

By: keydet89

keydet89 — Mon, 23 Jul 2007 17:39:26 +0000

Great interview! I found it funny that Bret was asking questions that have been asked before, but there are just no answers available.

With malware that looks for certain applications to be run (ie, AV software, firewalls, etc), I wonder if anyone has seen malware that decrypts the values and either collects data, or gleans intel from the contents of the key…

Good job, Didier!

Harlan